hello-react-meteor icon indicating copy to clipboard operation
hello-react-meteor copied to clipboard

Published 20 hours ago verified publisher icon arunoda

Security issue in post_list.jsx

Open moooji opened this issue 9 years ago • 1 comments

These two lines in post_list.jsx seem a bit insecure and basically crying for a "Mongo-injection", well actually it is a Mongo query injection :) It would be possible for the client to change {category: {$ne: "private"}}to {category: "private"} and get all private posts, or?

var selector = {category: {$ne: "private"}}; var handle = Meteor.subscribe('posts', selector);

This code seems to run on both client and server, so maybe the server part will override and prevent the client from doing bad things, but in general it feels bad to have a potentially insecure pattern in a sample app that might inspire others to use those subscription patterns outside of React in pure client code.

moooji avatar Aug 08 '15 07:08 moooji

Yep. Good idea. I just want to do some filtering. Just to show with SSR, it only picks the data comes from subscriptions.

Send me a PR with a fix.

arunoda avatar Aug 08 '15 07:08 arunoda